npm - pompelmi - Versions diffs - 0.32.1 → 0.33.0 - Mend

pompelmi 0.32.1 → 0.33.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +36 -2
package/dist/pompelmi.cjs +77 -81
package/dist/pompelmi.cjs.map +1 -1
package/dist/pompelmi.esm.js +77 -81
package/dist/pompelmi.esm.js.map +1 -1
package/dist/types/scanners/common-heuristics.d.ts +2 -2
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -35,6 +35,7 @@
   <a href="https://www.producthunt.com/products/pompelmi"><img src="https://api.producthunt.com/widgets/embed-image/v1/featured.svg?post_id=1010722&theme=light" alt="pompelmi - Secure File Upload Scanning for Node.js | Product Hunt" style="width: 250px; height: 54px;" width="250" height="54" /></a>
   <br/>
   <a href="https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/"><img alt="Featured on HelpNet Security" src="https://img.shields.io/badge/🔒_FEATURED-HelpNet%20Security-FF6B35?style=for-the-badge"></a>
+  <a href="https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/"><img alt="Featured on Stack Overflow Blog" src="https://img.shields.io/badge/📖_FEATURED-Stack%20Overflow%20Blog-F58025?style=for-the-badge&logo=stackoverflow&logoColor=white"></a>
   <a href="https://snyk.io/test/github/pompelmi/pompelmi"><img alt="Secured by Snyk" src="https://img.shields.io/badge/🛡️_SECURED_BY-Snyk-4C4A73?style=for-the-badge&logo=snyk"></a>
   <br/>
   <a href="https://github.com/sorrycc/awesome-javascript"><img alt="Mentioned in Awesome JavaScript" src="https://awesome.re/mentioned-badge.svg"></a>
@@ -181,6 +182,7 @@ npm i pompelmi @pompelmi/express-middleware
 - [Security Notes](#-security-notes)
 - [Releases & Security](#-releases--security)
 - [Community & Recognition](#-community--recognition)
+- [Commercial Support](#-commercial-support)
 - [FAQ](#-faq)
 - [Tests & Coverage](#-tests--coverage)
 - [Contributing](#-contributing)
@@ -1081,7 +1083,7 @@ _Want to share your experience? [Open a discussion](https://github.com/pompelmi/
 - 💬 **[GitHub Discussions](https://github.com/pompelmi/pompelmi/discussions)** — Ask questions, share ideas, get community support
 - 🐛 **[Issue Tracker](https://github.com/pompelmi/pompelmi/issues)** — Report bugs, request features
 - 🔒 **[Security Policy](https://github.com/pompelmi/pompelmi/security)** — Report security vulnerabilities privately
-- 💼 **Commercial Support** — For enterprise support and consulting, contact the maintainers
+- 💼 **[Commercial Support](#-commercial-support)** — Private, async support by the maintainer for integration help, troubleshooting, and configuration review
 - 💖 **[Sponsor pompelmi](https://github.com/sponsors/pompelmi)** — Support ongoing development via GitHub Sponsors
 **Supported Frameworks:**
@@ -1096,6 +1098,35 @@ _Want to share your experience? [Open a discussion](https://github.com/pompelmi/
 ---
+## 💼 Commercial Support
+Limited commercial support is available for teams using pompelmi.
+Support is offered on a **private, asynchronous, best-effort basis** by the maintainer and may include:
+- Integration assistance
+- Configuration review
+- Prioritized troubleshooting
+- Upload security guidance
+Support is provided **in writing only**. Live calls and real-time support are not included.
+**To inquire**, email [pompelmideveloper@yahoo.com](mailto:pompelmideveloper@yahoo.com) with the following details:
+- Framework / runtime (e.g. Express, Next.js, Koa)
+- Node.js version
+- pompelmi version
+- A short description of the issue or goal
+- Expected behavior
+- Relevant logs or errors — avoid including secrets or sensitive data in your initial message
+- Urgency
+- Whether you need integration help, troubleshooting, or a configuration review
+> Community support (GitHub Issues, Discussions, and public docs) remains free and open to everyone.
+> For private vulnerability disclosure, see [SECURITY.md](./SECURITY.md).
+---
 ## 🎖️ Contributors
 Thanks to all the amazing contributors who have helped make pompelmi better!
@@ -1153,9 +1184,12 @@ In the examples, the guard attaches scan data to the request context (e.g. `req.
 **Why 422 for blocked files?**
 Using **422** to signal a policy violation keeps it distinct from transport errors; it’s a common pattern. Use the codes that best match your API guidelines.
-**Are ZIP bombs handled?**
+**Are ZIP bombs handled?**
 Archives are traversed with limits to reduce archive‑bomb risk. Keep your size limits conservative and prefer `failClosed: true` in production.
+**Is commercial support available?**
+Yes. Limited commercial support is available on a private, asynchronous, best-effort basis from the maintainer. Support is in writing only — no live calls or real-time support. Email [pompelmideveloper@yahoo.com](mailto:pompelmideveloper@yahoo.com). See the [Commercial Support](#-commercial-support) section for full details and the inquiry template.
 ---
 ## 🧪 Tests & Coverage

package/dist/pompelmi.cjs CHANGED Viewed

@@ -25,6 +25,81 @@ var crypto__namespace = /*#__PURE__*/_interopNamespaceDefault(crypto);
 var os__namespace = /*#__PURE__*/_interopNamespaceDefault(os);
 var path__namespace = /*#__PURE__*/_interopNamespaceDefault(path);
+function hasAsciiToken(buf, token) {
+    // Use latin1 so we can safely search binary
+    return buf.indexOf(token, 0, 'latin1') !== -1;
+}
+function startsWith(buf, bytes) {
+    if (buf.length < bytes.length)
+        return false;
+    for (let i = 0; i < bytes.length; i++)
+        if (buf[i] !== bytes[i])
+            return false;
+    return true;
+}
+function isPDF(buf) {
+    // %PDF-
+    return startsWith(buf, [0x25, 0x50, 0x44, 0x46, 0x2d]);
+}
+function isOleCfb(buf) {
+    // D0 CF 11 E0 A1 B1 1A E1
+    const sig = [0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1];
+    return startsWith(buf, sig);
+}
+function isZipLike$1(buf) {
+    // PK\x03\x04
+    return startsWith(buf, [0x50, 0x4b, 0x03, 0x04]);
+}
+function isPeExecutable(buf) {
+    // "MZ"
+    return startsWith(buf, [0x4d, 0x5a]);
+}
+/** OOXML macro hint via filename token in ZIP container */
+function hasOoxmlMacros(buf) {
+    if (!isZipLike$1(buf))
+        return false;
+    return hasAsciiToken(buf, 'vbaProject.bin');
+}
+/** PDF risky features (/JavaScript, /OpenAction, /AA, /Launch) */
+function pdfRiskTokens(buf) {
+    const tokens = ['/JavaScript', '/OpenAction', '/AA', '/Launch'];
+    return tokens.filter(t => hasAsciiToken(buf, t));
+}
+const CommonHeuristicsScanner = {
+    async scan(input) {
+        const buf = Buffer.from(input);
+        const matches = [];
+        // Office macros (OLE / OOXML)
+        if (isOleCfb(buf)) {
+            matches.push({ rule: 'office_ole_container', severity: 'suspicious' });
+        }
+        if (hasOoxmlMacros(buf)) {
+            matches.push({ rule: 'office_ooxml_macros', severity: 'suspicious' });
+        }
+        // PDF risky tokens
+        if (isPDF(buf)) {
+            const toks = pdfRiskTokens(buf);
+            if (toks.length) {
+                matches.push({
+                    rule: 'pdf_risky_actions',
+                    severity: 'suspicious',
+                    meta: { tokens: toks }
+                });
+            }
+        }
+        // Executable header
+        if (isPeExecutable(buf)) {
+            matches.push({ rule: 'pe_executable_signature', severity: 'suspicious' });
+        }
+        // EICAR test file
+        const EICAR_NEEDLE = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!";
+        if (hasAsciiToken(buf, EICAR_NEEDLE)) {
+            matches.push({ rule: 'eicar_test_file', severity: 'high', meta: { note: 'EICAR standard antivirus test file detected' } });
+        }
+        return matches;
+    }
+};
 function toScanFn(s) {
     return (typeof s === "function" ? s : s.scan);
 }
@@ -135,6 +210,8 @@ function composeScanners(...args) {
 }
 function createPresetScanner(preset, opts = {}) {
     const scanners = [];
+    // Always include heuristics (EICAR, PHP webshells, JS obfuscation, PE hints, etc.)
+    scanners.push(CommonHeuristicsScanner);
     // Add decompilation scanners based on preset
     if (preset === 'decompilation-basic' || preset === 'decompilation-deep' ||
         preset === 'malware-analysis' || opts.enableDecompilation) {
@@ -182,17 +259,6 @@ function createPresetScanner(preset, opts = {}) {
             }
         }
     }
-    // Add other scanners for advanced presets
-    if (preset === 'advanced' || preset === 'malware-analysis') {
-        // Add heuristics scanner
-        try {
-            const { CommonHeuristicsScanner } = require('./scanners/common-heuristics');
-            scanners.push(new CommonHeuristicsScanner());
-        }
-        catch {
-            // Heuristics not available
-        }
-    }
     if (scanners.length === 0) {
         // Fallback scanner that returns no matches
         return async (_input, _ctx) => {
@@ -3143,76 +3209,6 @@ function mapMatchesToVerdict(matches = []) {
     return isMal ? 'malicious' : 'suspicious';
 }
-function hasAsciiToken(buf, token) {
-    // Use latin1 so we can safely search binary
-    return buf.indexOf(token, 0, 'latin1') !== -1;
-}
-function startsWith(buf, bytes) {
-    if (buf.length < bytes.length)
-        return false;
-    for (let i = 0; i < bytes.length; i++)
-        if (buf[i] !== bytes[i])
-            return false;
-    return true;
-}
-function isPDF(buf) {
-    // %PDF-
-    return startsWith(buf, [0x25, 0x50, 0x44, 0x46, 0x2d]);
-}
-function isOleCfb(buf) {
-    // D0 CF 11 E0 A1 B1 1A E1
-    const sig = [0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1];
-    return startsWith(buf, sig);
-}
-function isZipLike$1(buf) {
-    // PK\x03\x04
-    return startsWith(buf, [0x50, 0x4b, 0x03, 0x04]);
-}
-function isPeExecutable(buf) {
-    // "MZ"
-    return startsWith(buf, [0x4d, 0x5a]);
-}
-/** OOXML macro hint via filename token in ZIP container */
-function hasOoxmlMacros(buf) {
-    if (!isZipLike$1(buf))
-        return false;
-    return hasAsciiToken(buf, 'vbaProject.bin');
-}
-/** PDF risky features (/JavaScript, /OpenAction, /AA, /Launch) */
-function pdfRiskTokens(buf) {
-    const tokens = ['/JavaScript', '/OpenAction', '/AA', '/Launch'];
-    return tokens.filter(t => hasAsciiToken(buf, t));
-}
-const CommonHeuristicsScanner = {
-    async scan(input) {
-        const buf = Buffer.from(input);
-        const matches = [];
-        // Office macros (OLE / OOXML)
-        if (isOleCfb(buf)) {
-            matches.push({ rule: 'office_ole_container', severity: 'suspicious' });
-        }
-        if (hasOoxmlMacros(buf)) {
-            matches.push({ rule: 'office_ooxml_macros', severity: 'suspicious' });
-        }
-        // PDF risky tokens
-        if (isPDF(buf)) {
-            const toks = pdfRiskTokens(buf);
-            if (toks.length) {
-                matches.push({
-                    rule: 'pdf_risky_actions',
-                    severity: 'suspicious',
-                    meta: { tokens: toks }
-                });
-            }
-        }
-        // Executable header
-        if (isPeExecutable(buf)) {
-            matches.push({ rule: 'pe_executable_signature', severity: 'suspicious' });
-        }
-        return matches;
-    }
-};
 const SIG_CEN = 0x02014b50;
 const DEFAULTS = {
     maxEntries: 1000,